Todo4 Onboarding Skill

The skill executes shell scripts (`register.sh`, `verify.sh`) using user-provided email and verification code. If these inputs are not properly sanitized within the scripts, a malicious user could inject arbitrary shell commands.

scripts/register.sh <email>
ACCESS_TOKEN=$(scripts/verify.sh <email> <code> | jq -r '.accessToken')

The skill handles highly sensitive credentials (access tokens, refresh tokens, agent tokens, OTP codes, MCP config). While it instructs the agent not to display them, the presence and handling of these secrets pose a risk if instructions are bypassed or the execution environment is compromised.

Never echo $ACCESS_TOKEN or the script's JSON output.
NEVER display the access token, refresh token, agent token, or MCP config contents.

The skill declares `curl` as a required binary, granting the agent broad network access capabilities. This tool, especially if combined with a successful command injection, could be leveraged for data exfiltration, SSRF, or other network-based attacks.

bins: [curl, jq]

The skill instructs the agent to run external shell scripts (register.sh, verify.sh, connect.sh) located in a local 'scripts/' directory. These scripts are not defined within the skill itself, making their actual behavior opaque. The agent is directed to execute them with user-supplied email input and OTP codes without any sandboxing or validation of the scripts' contents.

scripts/register.sh <email>
ACCESS_TOKEN=$(scripts/verify.sh <email> <code> | jq -r '.accessToken')
CONNECT_OUT=$(scripts/connect.sh "$ACCESS_TOKEN" <agent_name>)

The skill captures an ACCESS_TOKEN from external script output and stores it in a shell variable, then passes it to another script. While the skill instructs the agent not to echo the token, the token is being harvested from a remote server and used programmatically. The scripts receiving this token are external and unaudited.

ACCESS_TOKEN=$(scripts/verify.sh <email> <code> | jq -r '.accessToken')
...
CONNECT_OUT=$(scripts/connect.sh "$ACCESS_TOKEN" <agent_name>)

The connect.sh script is described as writing 'MCP config and agent token automatically' to the local system. This represents a persistence/tool-poisoning mechanism where an external script modifies the agent's tool configuration without explicit user confirmation of what is being written. The actual content of the MCP config is hidden from the user.

the script wrote the MCP config and agent token automatically

The skill collects the user's email address and passes it to an external shell script (register.sh) which presumably transmits it to an external server (todo4.io). The user is not shown what HTTP request is made or what data is transmitted beyond the email.

scripts/register.sh <email>

The skill is designed to minimize friction and prevent the user from reflecting on what is happening ('DO NOT explain what Todo4 is', 'just start STEP 1', 'DO NOT ask for more than one piece of information per message'). This pattern is designed to reduce user scrutiny of the onboarding process.

DO NOT explain what Todo4 is, list features, or ask "are you sure?" — just start STEP 1.
DO NOT ask for more than one piece of information per message.